[Cryptech Tech] trng ready for play

[Bernd Paysan]

Am Dienstag, 7. Oktober 2014, 07:18:56 schrieb Joachim Strömbergson:
> Aloha!
> 
> Bernd Paysan wrote:
> > Feeding in a full block of known stuff into SHA-2 as key for ChaCha
> > however does reduce the entropy (we only have the counter, which
> > isn't reset at reseeding).
> 
> This is incorrect. ChaCha is reseeded with:
> 
> (1) New 256 bit key
> (2) New 512 bit block
> (3) New 64 bit IV
> (4) New 64 bit counter initial value.

I'm not sure if I like this.  Full reseeding means that an attacker who 
managed to weaken (but not completely defeat) the entropy sources may guess 
that state.  Let's assume the attacker managed to modify the FPGA so that the 
ROSCs all oscillate in harmony, or by modifying the synthesis tool to collapse 
all 32 ROSCs to only one ROSC, like Xilinx's tool does without hints - they 
still jitter, but it's one bit of entropy per 32 bits; and the attacker 
controlls the diode as well (maybe in a way that it is considered dead, and 
the reseed switches over to the ROSC).  Let's say, the overall entropy of 
reseeding is still 28 bits; that's within reach of brute force attacks, but 
out of reach to people who just check if each first random block after 
reseeding is different.

You can avoid this single point of failure by not reseeding enough bits so 
that each reseed will add entropy to the pool, but can't ever take entropy 
out.  E.g. if you want 256 bit "safety margin" against this attack, keep 256 
bits of the bit block (no need for collission considerations, as the attacker 
here is supposed to be unaware of the internal state).

For the initial seed, reseeding everything of course is good.

The actual ChaCha algorithm specifies that the 512 bit block is created form 
the key, the IV, the coutner initial value and a few constants; this allows 
ChaCha to randomly seek within a stream of 2^64 blocks, and this capability is 
important for using ChaCha e.g. to encrypt hard disks (though I generally 
would not recommend a stream cipher for hard disk encryption, as it allows 
attackers to modify known plaintext - modify, not decrypt; they know it 
anyway, they just can modify it exactly as they like to).  If you seed the 
block with independent entropy, this is making ChaCha nonseekable, which is a 
good idea when you use it as CSPRNG (you don't need the seeking property).  
And then you probably should never reseed it again, which means that entropy 
accumulates up to those 512 bits.

The idea is that if parts of the design are attacked, security degrades as 
little as possible.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20141013/c77f6f6e/attachment.sig>